Re: Repeated logon attempts from different ports of same IP
From: Dave (noone_at_nowhere.com)
Date: 03/31/05
- Next message: Bill in Co.: "Re: MS05-002 on 9x and ME"
- Previous message: itboshd: "Need to Re-Apply file/folder permissions"
- In reply to: Mark D. Meyer: "Re: Repeated logon attempts from different ports of same IP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 31 Mar 2005 13:05:34 -0500
ok, that helps a bit. you don't have a tcp/ip problem, the port numbers
being used are meaningless in this problem. it is normal for a machine to
increment or even randomly pick an unused port to make outgoing connections.
the tcpview info may not mean anything useful either, it just confirms that
the machine is making the connection.
the more interesting information would be from netstat -ao, this would show
you what process is making the connections and may give a clue about why.
also check the workstation's logs and see if it is logging any errors. you
may want to give more specifics on the event log entries, maybe some of the
details would mean something to someone who knows more about that type of
problem. for now all i see that you may want to look at is this article to
see if it has any clues:
http://support.microsoft.com/default.aspx?scid=kb;en-us;822774
"Mark D. Meyer" <MarkDMeyer@discussions.microsoft.com> wrote in message
news:EB85CEE0-B6FE-497C-A14F-F547F87CFB41@microsoft.com...
> Believe me, if you will tell me exactly what you want / need to know, I
will
> get it for you.
>
> Let me see if I can make this as clear as possible.
>
> I have the latest engine and DAT for McAfee VirusScan 8.0i, as well as for
> Desktop Firewall, Windows XP Pro, AdAware, and SpyBot. I have no drives
> mapped or printers. These two systems are only within the same subnet. On
the
> Windows XP Pro box, the system will ( every 1/2 second ) try to log on to
the
> NtLmSss on the Windows 3003 Server. It shows up in the Security Event Log
on
> the server as .....
>
> Event 538 Logon/Logoff
> 680 Account Logon
> 576 Priviledge Use
> 540 Logon/Logoff
>
> Each time the 540 event is from the same PC, same IP, but different port.
It
> also moves up ports by 3 at a time. ie...2546, 2549, 2552 and so on.
>
> In TCPView on the workstatioin, it will show the latest as listening and
the
> four to five instances as waiting.
>
> If there is any other info that you think will help, by all means let me
> know and thank you for your assistance so far....
>
> Mark
>
>
> "Dave" wrote:
>
> > unfortunately you are only providing bits and pieces of information, not
> > enough for anyone to really be able to figure out what your problem may
be.
> > we can't read your mind, only what you type into a message. if you want
> > some specific answers try replying with some specifics to the last two
sets
> > of specific questions rather than just throwing in another disjointed
piece
> > of the puzzle.
> >
> > "Mark D. Meyer" <MarkDMeyer@discussions.microsoft.com> wrote in message
> > news:86446BEE-EEAA-4AC8-ACA7-511AE12D3EF0@microsoft.com...
> > > Something else I noticed today when I was using TCPView. It is always
> > ending
> > > with a epmap. Not one, but 5 ususally...The ports just keep
waiting...over
> > > and over and over....
> > >
> > > "Dave" wrote:
> > >
> > > > what is showing you this activity? how do you know its trying to
> > 'logon'?
> > > > have you put a sniffer on the net to see what the traffic really is?
> > you
> > > > know the ip its coming from, what is that machine? what does
netstat on
> > > > that machine show it is doing?
> > > >
> > > > "Mark D. Meyer" <MarkDMeyer@discussions.microsoft.com> wrote in
message
> > > > news:B20C64FD-94F0-4BCB-B61D-A1D0DB3B165A@microsoft.com...
> > > > > No it is not a domain environment, just a stand alone server.
> > > > > It is always from the same ip trying to logon to the server at a
> > different
> > > > > port each time. ie....2546,2459,2462,2465 and so on. It will do it
> > > > thousands
> > > > > of times a day.
> > > > > It appears to be the workstation.
> > > > >
> > > > > Thanks so far....:-)
> > > > >
> > > > > Mark
> > > > >
> > > > > "Roger Abell" wrote:
> > > > >
> > > > > > Backup here . . .
> > > > > > You have a domain environment?
> > > > > > The source port varies, but what is the target port?
> > > > > > Is it the workstation, or some account when used on that
workstation
> > > > > > that is attempting login to the server? If it is a domain
account,
> > have
> > > > > > you examined it, its login script, its startup items?
> > > > > >
> > > > > > --
> > > > > > Roger
> > > > > > "Mark D. Meyer" <MarkDMeyer@discussions.microsoft.com> wrote in
> > message
> > > > > > news:E7F49CAD-F115-4DC0-8DB7-D45743C8757A@microsoft.com...
> > > > > > > Help !
> > > > > > >
> > > > > > > I have one workstation that is attempting to logon over and
over
> > at
> > > > > > > different ports. It will try 2536, then .20 seconds later,
2539
> > and so
> > > > on.
> > > > > > I
> > > > > > > have reloaded the XP Pro workstation from scratch and it
> > reappeared
> > > > > > > immediately. This will go on for thousands of times a day.
> > > > > > >
> > > > > > > I am running McAfee VirusScan Enterprise 8.0i, McAfee Desktop
> > > > Firewall,
> > > > > > > SpyBot Search & Destroy, and Ad Aware. None of them can detect
> > > > anything. I
> > > > > > > have my MS Windows 2003 Server locked down pretty tight, but
> > really
> > > > need
> > > > > > to
> > > > > > > know what it testing my security over and over. I checked with
my
> > ISP
> > > > and
> > > > > > > nothing out of the ordinary is going out over the internet
either.
> > > > > > >
> > > > > > > Any help will be very appreciated. Sleep will come next.....
> > > > > > >
> > > > > > > Thanks...
> > > > > > >
> > > > > > > Mark
> > > > > >
> > > > > >
> > > > > >
> > > >
> > > >
> > > >
> >
> >
> >
- Next message: Bill in Co.: "Re: MS05-002 on 9x and ME"
- Previous message: itboshd: "Need to Re-Apply file/folder permissions"
- In reply to: Mark D. Meyer: "Re: Repeated logon attempts from different ports of same IP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
